httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r1497371 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Thu, 27 Jun 2013 14:25:50 GMT
Author: covener
Date: Thu Jun 27 14:25:50 2013
New Revision: 1497371

URL: http://svn.apache.org/r1497371
Log:
authnzldap: support "none" as a filter to suppress using a search filter,
which is required by some mainframe security products serving native
registry over LDAP.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1497371&r1=1497370&r2=1497371&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jun 27 14:25:50 2013
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_authnz_ldap: Support primitive LDAP servers do not accept
+     filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
+     filter "none" to be specified in AuthLDAPURL. [Eric Covener]
+
   *) mod_file_cache: mod_file_cache should be able to serve files that
      haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1497371&r1=1497370&r2=1497371&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Thu Jun 27 14:25:50 2013
@@ -1301,7 +1301,9 @@ You can of course use search parameters 
         will search for all objects in the tree. Filters are
         limited to approximately 8000 characters (the definition of
         <code>MAX_STRING_LEN</code> in the Apache source code). This
-        should be more than sufficient for any application.</dd>
+        should be more than sufficient for any application. The word "none"
+        may be used to not use any filter, which may be required by some
+        primitive LDAP servers.</dd>
 </dl>
 
     <p>When doing searches, the attribute, filter and username passed

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1497371&r1=1497370&r2=1497371&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Thu Jun 27 14:25:50 2013
@@ -217,6 +217,7 @@ static void authn_ldap_build_filter(char
     apr_size_t inbytes;
     apr_size_t outbytes;
     char *outbuf;
+    int nofilter = 0;
 
     if (sent_user != NULL) {
         user = apr_pstrdup (r->pool, sent_user);
@@ -249,7 +250,13 @@ static void authn_ldap_build_filter(char
      * Create the first part of the filter, which consists of the
      * config-supplied portions.
      */
-    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+
+    if ((nofilter = (filter && !strcasecmp(filter, "none")))) { 
+        apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute);
+    }
+    else { 
+        apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+    }
 
     /*
      * Now add the client-supplied username to the filter, ensuring that any
@@ -303,8 +310,16 @@ static void authn_ldap_build_filter(char
      * Append the closing parens of the filter, unless doing so would
      * overrun the buffer.
      */
-    if (q + 2 <= filtbuf_end)
-        strcat(filtbuf, "))");
+
+    if (nofilter) { 
+        if (q + 1 <= filtbuf_end)
+            strcat(filtbuf, ")");
+    } 
+    else { 
+        if (q + 2 <= filtbuf_end)
+            strcat(filtbuf, "))");
+    }
+
 }
 
 static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
@@ -545,6 +560,11 @@ static authn_status authn_ldap_check_pas
                       "user %s authentication failed; URI %s [%s][%s]",
                       user, r->uri, ldc->reason, ldap_err2string(result));
 
+        /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific
errors */
+        if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { 
+            return AUTH_USER_NOT_FOUND;
+        }
+
         return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
 #ifdef LDAP_SECURITY_ERROR
                  : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED



Mime
View raw message